The document discusses exploiting out-of-memory (OOM) exceptions in web browsers to achieve remote code execution. It begins by explaining how OOM exceptions occur in browsers and strategies for triggering them reliably. It then describes a case study of triggering controllable OOM exceptions in Microsoft Edge to corrupt memory. By breaking transaction operations on arrays during an OOM, the author was able to achieve memory corruption and potentially remote code execution on Edge.

1. From Out of Memory to Remote
Code Execu3on
Yuki Chen (@guhe120)
Qihoo 360Vulcan Team

2. CVE-2014-0290,CVE-2014-0321,CVE-2014-1753,CVE-2014-1769,CVE-2014-1782,CVE-2014-1804,
CVE-2014-2768,CVE-2014-2802,CVE-2014-2803,CVE-2014-2824,CVE-2014-4057,CVE-2014-4092,
CVE-2014-4091,CVE-2014-4095,CVE-2014-4096,CVE-2014-4097,CVE-2014-4082,CVE-2014-4105,
CVE-2014-4129,CVE-2014-6369,CVE-2015-0029,CVE-2015-1745,CVE-2015-1743,CVE-2015-3134,
CVE-2015-3135,CVE-2015-4431,CVE-2015-5552,CVE-2015-5553,CVE-2015-5559,CVE-2015-6682,
CVE-2015-7635,CVE-2015-7636,CVE-2015-7637,CVE-2015-7638,CVE-2015-7639,CVE-2015-7640,
CVE-2015-7641,CVE-2015-7642,CVE-2015-7643,CVE-2015-8454,CVE-2015-8059,CVE-2015-8058,
CVE-2015-8055,CVE-2015-8057,CVE-2015-8056,CVE-2015-8061,CVE-2015-8067,CVE-2015-8066,
CVE-2015-8062,CVE-2015-8068,CVE-2015-8064,CVE-2015-8065,CVE-2015-8063,CVE-2015-8405,
CVE-2015-8404,CVE-2015-8402,CVE-2015-8403,CVE-2015-8071,CVE-2015-8401,CVE-2015-8406,
CVE-2015-8069,CVE-2015-8070,CVE-2015-8440,CVE-2015-8409,CVE-2015-8047,CVE-2015-8455,
CVE-2015-8045,CVE-2015-8441,CVE-2016-0980,CVE-2016-1015,CVE-2016-1016,CVE-2016-1017,
CVE-2016-4120,CVE-2016-4160,CVE-2016-4161,CVE-2016-4162,CVE-2016-4163,CVE-2016-4185
CVE-2016-4249,CVE-2016-4180,CVE-2016-4181,CVE-2016-4183,CVE-2016-4184,CVE-2016-4185,
CVE-2016-4186,CVE-2016-4187,CVE-2016-4233,CVE-2016-4234,CVE-2016-4235,CVE-2016-4236,
CVE-2016-4237,CVE-2016-4238,CVE-2016-4239,CVE-2016-4240,CVE-2016-4241,CVE-2016-4242,
CVE-2016-4243,CVE-2016-4244,CVE-2016-4245,CVE-2016-4246,CVE-2016-4182,CVE-2016-3375,
CVE-2017-3001,CVE-2017-3002,CVE-2017-3003,CVE-2017-0238,CVE-2017-0236,CVE-2017-8549,
CVE-2017-8619
Who am I
Bug Hunter @ 360 Vulcan Team

3. Who am I
Hardcore ACG Otaku

4. About 360Vulcan Team
ü Security Researches from Qihu
360
ü Pwn2Own Winners:
ü Pwn2Own 2015 IE11
ü Pwn2Own 2016 Google
Chrome, Adobe Flash
ü Pwn2Own 2017 Edge, Safari,
Adobe Flash, Win10, Mac OSX
ü “Master of Pwn” Pwn2Own
2017

5. Agenda
• Out-of-Memory Excep3on in Browser
• From Out-of-Memory to RCE
• From Out-of-Memory to ASLR bypass
• Conclusion

6. Out of Memory Excep3on
in Web Brower

7. Out of Memory Excep3on
“Run%me excep%on when
there is no sufficient memory.”

8. Browser OOM Example 1
• IE 8 CA_rArray Use Aaer Free (cve-2014-1753)
• Found by fuzzing
function f() {
var size = 0x8000000;
var s = "AAAA";
while (s.length < (size - 2)/2)
s += s;
var x = document.createElement("frame");
x.setAttribute("prop2", s.substring(0, (size - 2)/2));
var node = document.body.appendChild(x);
for ( var y = 0; y < 20; ++ y ) {
var z = node.cloneNode();
document.body.appendChild(z);
}
}

9. CloneNode
Clone
a_ributes
One by one
Create a new
A_ributes
Array
Copy
A9ribute
Fail ?
Free
A_ributes
Array
Access
A_ributes
Array
(UAF)
If the a9ribute to copy is a very large string,
it can cause an Out-of-Memory when clone
The a9ribute. Finally trig the use aHer free.

10. Browser OOM Example 2
• IE Jscirpt JSON.parse OOM Memory Corrup3on
var chunksize = 0x2000000;
var json = '['
for ( var i = 0; i < chunksize/0x10; ++ i )
json += '1,'
json += '1]';
var arr = new Array();
try {
for ( var i = 0; i < 0x1000; ++ i )
arr.push(json.substr(0, (chunksize-2)/2));
} catch (e) {} // Force IE into low-memory state by
allocating large amount of memory
while (true) {
JSON.parse(json);
}

11. jscript!JSONParser::ParseObject+0x3fb:
65b4e9da mov eax,dword ptr [esi+14h] // length of the json array
65b4e9dd mov dword ptr [esp+14h],eax
65b4e9e1 shl eax,4 // alloc size = arr_length * 0x10
65b4e9e4 push eax
65b4e9e5 mov dword ptr [esp+20h],eax
65b4e9e9 call dword ptr [jscript!_imp__malloc (65b740fc)]
// malloc can fail if there is no sufficient memory
// malloc fail is not checked and will directly copy content
to address [NULL + arr_size]
65b4ea2f a5 movs dword ptr es:[edi],dword ptr [esi] es:002b:00777fc0=????????
ds:002b:03eb8398=00000003

12. OOM Bugs – Different Types
• Handled/Not Handled
• Controllable/Uncontrollable
• 32-bits/64-bits
• Con3nuable/Not Con3nuable

13. Handled/Not Handled
• Handled OOM
– Developer is aware of poten3al OOM in the code
– But failed to handle it correctly (e.g. the IE CA_rArray
UAF case)
• Not handled OOM
– Developer has no idea about the poten3al OOM in the
code (e.g. the JSON case)
– Can cause unexpected execu3on path change (early
return, excep3on), which can cause exploitable
condi3on

14. Controllable/Uncontrollable
• Controllable
– We can trig the OOM excep3on reliably, at any
3me we want
• Controllable large alloca3on
• Controllable low-memory state
• Uncontrollable
– Occurs randomly, not controlled by us
• Small alloca3ons
• Uncontrollable low-memory state

15. 32-bits/64-bits
• Usually, it’s easier to find reliable OOM in 32-
bits targets than 64-bits
• Because it’s easier to force the process into a
low-memory state in 32-bits target
– By brute force alloca3ons

16. Con3nuable/Not Con3nuable
• Con3nuable
– Program can con3nue to execute aaer the OOM
– Exploit possible
• Not Con3nuable
– Program can not con3nue to execute aaer OOM
• Crash immediately due to non-exploitable memory corrup3on
(e.g. null pointer deference)
• Crash ac3vely for alloca3ons that can not fail
• Browser has a memory limita3on, and will crash if memory
exceeds the limita3on
– Not exploitable, only DDOS L

17. Find/Focus on controllable
and con,nuable OOM
excep3ons only
For bug hunters:

18. Find OOM Bugs
• Normal Fuzz
– Fuzz with random values some 3mes trigs OOM
• Fuzz in low memory state
– Tools such as Applica3on Verifier
– Hook alloca3on APIs
– Some browsers has test interface for out-of-m
memory simula3on (e.g. FireFox)
• Code audi3ng

19. From Out-of-Memory to
Remote Code Execu3on

20. A Journey With OOM Bugs in
Microsoa Edge
• Find controllable OOM in Edge
• Break the transac3on opera3ons to make
inconsistent array state
• Achieve memory corrup3on
• Win

21. Find controllable OOM in Edge
• We need to find OOM excep3ons which could
be trigged reliably
• JavaScript array segment alloca3on is a nice
vector

22. Array Segment
• JavaScript array in IE/Edge
– A link list of array segments
length
head
Array
Head Segment
lea
length
size
next
element[0]
element[N]
…
Segment 1
lea
length
size
next
element[0]
element[N]
…
Segment N
…

23. var arr = new Array();
arr[0] = 1;
arr[1] = 2;
arr[2000] = 3;
arr[5000] = 4;
Head
segment
arr
le. = 0
length = 2
element[0] = 1
element[1] = 2
Segment
1
Segment
2
le. = 2000
length = 1
element[0] = 3
le. = 5000
length = 1
element[0] = 4

24. Array Segment (.cont)
• JavaScript array elements are stored in
segments
– When alloca3ng an array segment, it also
allocates the memory space for elements in it
• When add a new element into array, if there is
no exis3ng space for it, it either allocates new
segment or enlarges exis3ng segment

25. Array Segment Alloca3on OOM in
32-bits Edge
• When alloca3ng array segment, if there’s no sufficient
memory, an OOM excep3on will be thrown

26. try {
for (var i = 0x10000000; i < 0x18000000; ++ i)
a[i] = 0x0d0d0d0d;
} catch (e) {}
try {
while (true) {
arr_ab.push(new ArrayBuffer(0x02c9dbec * 4)); // Step 1: Make
browser into a low-memory state by alloca,ng large memoy
}
} catch (e){}
try {
a.reverse(); // Step 2: Trig array segment alloca,on
to throw OOM excep,on
} catch (e) {alert(e);}
Trig OOM in 32-bits Edge - Example

27. Trig OOM in 32-bits Edge
– Example (.cont)

28. Array Segment Alloca3on OOM in
64-bits Edge
• We are not able to force 64-bits Edge into
insufficient memory state
– Because 64-bits process’s memory space is large
• There is s,ll a chance to trig OOM excep3on
in 64-bits Edge
– If there is an overflow in alloca,on size

29. OOM When Allocate Size Overflow

30. var aaa = new Array();
for (var i = 0; i < arrSize.length; ++ i) {
aaa.unshia.apply(aaa, args); // Step 1: Grow array segment
size un,l nearly overflow
aaa[arrSize[i] - 1] = 1;
}
try {
aaa.unshia.apply(aaa, args); // Step 2: Trig another segment size
grow where the size will overflow
} catch (e) { // Error: Out of Memory }
Trig OOM in 64-bits Edge - Example

31. Trig OOM in 64-bits Edge –
Example (.cont)

32. Now we have controllable OOM in
both 32/64-bits Edge, what’s Next?

33. Array Transac3on Opera3on
• Array contains some import fields
– Array: array type, length, head, cached last-used
segment
– Segment: lea, length, size, elements
• When you change one of the fields, you must
also change some others to keep the array valid
– E.g. When you convert an Int array to Float array, the
int elements in the segments need also be changed to
floats

34. Array Transac3on Opera3on
(.cont)
• Many JavaScript array APIs will make change
to the array
– shia, unshia, splice, …
– The core part of such code requires atomicity and
consistency
– Just like transac3on in database, so we call them
array transac3on opera3ons
– Break array transac3on opera3ons can cause
trouble

35. Array Transac3on Opera3on - Example
• Convert a Na3veInt array to Na3veFloat array
Foreach segment in array:
segment->ChangeElementsToFloat()
SetArrayType(NaDveFloatArray)
If the code returns unexpectedly in the middle of the itera%on,
you will get a Na%veIntArray with some Float segments

36. Break Array Transac3on Opera3on
• Callback in the transac3on opera3on
– Common pa_ern of Edge bugs
• Excep3on that breaks code flow
– Out of Memory Excep3ons J

37. Let’s Party!

38. RCE Case: Array.unshia
nElemntsToUnshiG = Number of Elements to UnshiG
Foreach segment in array:
segment->leG += nElemntsToUnshiG (1)
SetUnshiGElementsToHeadSegment(); (2)
Array->length += nElemntsToUnshiG; (3)
Transac3on Opera3on of Array.unshia

39. nElemntsToUnshiG = Number of Elements to UnshiG
Foreach segment in array:
segment->leG += nElemntsToUnshiG (1)
SetUnshiGElementsToHeadSegment(); (2)
Array->length += nElemntsToUnshiG; (3)
Break
Set elements to the head segment can cause
realloca%on of the head segment,
which can throw Out-of-Memory excep%on

40. RCE Case: Array.unshia
• By breaking the Array.unshia transac3on
opera3on
– We have an inconsistent array that:
array->lastSegment->lea + array->lastSegment->length
> array->length
– While the array manipula3ng code assumes that:
array->lastSegment->lea + array->lastSegment->length
<= array->length

41. RCE Case: Array.unshia
• Call Array.unshia again on the inconsistent
array, we can get an array that:
arr->lastSegment->length > arr->lastSegment->size
• An array segment whose length is larger than
size can cause heap overflow in many places
– Such as JavaScriptArray::DirectSetElementAt

42. RCE Case: Array.unshia
• A heap overflow in array segment is quite
simple to exploit
• Just allocate another array segment aaer the
overflowed segment, then we can overwrite
the length and size filed of next segment
lea length size
Overflow
0xffffffff 0xffffffff
Overflowed
Segment
Next
Segment

43. RCE Case: Array.unshia
• Used to exploit Edge at Pwn2Own 2017
• Fixed as CVE-2017-0238
Demo

44. RCE Case:
JavascriptNa3veIntArray::ToNa3veFloatArray
• This func3on converts an int array to float array
Foreach segment in array:
seg->size >>= 1 (1)
if (seg->length > (seg->size >>= 1))
seg = AllocateNewSegment (2)
Seg->ChangeElementToFloat() (3)
Adjust(seg->length) (4)
Transac3on Opera3on of JavascriptNa3veIntArray::ToNa3veFloatArray

45. Foreach segment in array:
seg->size >>= 1 (1)
if (seg->length > (seg->size >>= 1))
seg = AllocateNewSegment (2)
Seg->ChangeElementToFloat() (3)
Adjust(seg->length) (4)
Break
Allocate a new array segment
can throw Out-of-Memory excep%on.
At this point, seg->size has been diveded by 2, while
seg->length remains unchanged.

46. • By breaking the ToNa3veFloatArray transac3on
opera3on
– We can have an array segment that
Seg->length > Seg->size
• Get RCE exactly the same way as Array.unshia
– One of the backup bugs for Pwn2Own 2017
– We prepared several similar bugs as backups (e.g.
Array.splice)
RCE Case:
JavascriptNa3veIntArray::ToNa3veFloatArray

47. Patch Time – April Fix
• Microsoa fixed our Pwn2Own bug in April
• The fix is a li_le surprise
– It does not fix the OOM excep3ons
– Instead it tries to break the exploit tech we used
• Added a new func3on “CheckLengthVsSize”
• To avoid heap overflows caused by “segment->length >
segment->size”

48. CheckLengthVsSize
If detected “segment->length > segment->size”,
crash the process immediately

49. Problem of The April Fix
• It breaks some OOM exploits in our hand
• But the root cause s3ll not fixed
– Root cause: OOM excep3on breaks array
transac3on opera3on
• And there are other OOM vulnerabili3es that
do not require “seg->length > seg->size” to
exploit

50. Let’s Con3nue Party
OOM bugs can s3ll fight in the next 10 months
OOMバグはあと１０ヶ月は戦える！

51. RCE Case: Array.reverse
Segment Use Aaer Free
Reverse the whole segment list (1)
If head is leaf segment:
head = ReallocateNonLeafSegment (2)
Transac3on Opera3on of Array.reverse

52. Leaf Segment
• Leaf segment
– Pure data segment
– Next Segment will NOT be scanned when GC
• Non leaf segment
– Next Segment will be scanned when GC
Non Leaf Non Leaf Leaf
Leaf Non Leaf Non Leaf
ü
X
The last 2 segments will not be
scanned by GC and will be freed
unexpectedly, causing use aaer free

53. RCE Case: Array.reverse
Segment Use Aaer Free
Non Leaf
Step 1: Reverse the segment list
Step 2: Reallocate head if it’s
leaf segment
Non Leaf Leaf
Leaf Non Leaf Non Leaf
Non Leaf Non Leaf Non Leaf
Break
Reallocate non leaf segment may cause out-of-memory
excep%on

54. RCE Case: Array.reverse
Segment Use Aaer Free
• By breaking the Array.reverse transac3on
opera3on, we can access an array segment
that has already be freed
• Easy to get full remote code execu3on
– Reuse the freed memory of the array segment
– Get a fake array segment (achieve OOM access,
type confusion, …)

55. RCE Case: Array.reverse
Segment Use Aaer Free
• Fixed as CVE-2017-8549 in June CPU
• Got $15,000 from edge bug bounty
– Many thanks to Microsoa J

56. RCE Case: ConvertToVarArray
Buffer Overflow
• JavascriptNa3veFloatArray::ConvertToVarArra
y buffer overflow
Foreach segment in array:
if seg is leaf segment:
seg = ReallocateNonLeafSegment() (1)
seg->size *= 2 (2)
seg>ChangeIntElementsToVar() (3)
Array->ChangeTypeToVarArray() (4)

57. Seg->size *= 2 ?
• In 32-bits edge, sizeof(Var) = 4, sizeof(Float) = 8
• So when conver3ng float segment to var
segment, we can double the capacity (size) of the
segment
Float Float
var var var var

58. Foreach segment in array:
if seg is leaf segment:
seg = ReallocateNonLeafSegment() (1)
seg->size *= 2 (2)
seg>ChangeIntElementsToVar() (3)
Array->ChangeTypeToVarArray() (4)
Break
Reallocate non leaf segment may cause out-of-memory
Excep%on. If we break at (1) in the middle of the itera%on,
some segments’ size will already be doubled, and the doubled
size will not be restored.

59. RCE Case: ConvertToVarArray Type
Confusion
• By breaking the transac3on opera3on in
JavascriptNa3veFloatArray::ConvertToVarArra
y
– We get a float array, with some double-sized
segments
• We can directly read/write out of the bounds
of the segments
– Find a monkey to finish the exploit

60. Patch Time (Again)
• Finally Microsoa starts to fix the root cause
– Probably because we con3nues to report OOM
bugs aaer Pwn2Own
• The fix
– Crash the process when detected OOM excep3on
in certain func3ons

61. AutoDisableInterrupt
• A class for protec3ng a region of code
• Crashes the process if the protected code
region throws any excep3on
• Solved the root cause
– Added to many import func3ons such as unshia,
splice, array conversions, …
– Maybe forget some func3on?

62. RCE Case: Array.reverse (Again)
• Aaer the AutoDisableInterrupt patch
– Array.reverse is not protected by it
• CVE-2017-8619 fixed the OOM segment UAF
issue we reported
• Then we found another OOM issue in the
same func3on
– CVE-2017-8753
– Type confusion caused by invalid
lastUsedSegment

63. lastUsedSegment
• JavaScript array will cache the last used array
segment, to speed up array access
• So when a segment is removed from the
array, the lastUsedSegment must also get
updated, otherwise it will cause trouble

64. RCE Case: Array.reverse (Again)
lastUsedSegment = head; (1)
head = AllocateNewHead(); (2)
If the last segment is leaf:
ReallocateLastSegmentToNonLeaf(); (3)
lastUsedSegment = head; (4)
Break
Reallocate non leaf segment may cause out-of-memory
Excep%on. If we break at (3), the array will have
a lastUsedSegment points to an invalidated segment

65. Exploit an Invalidated
lastUsedSegment
• Special thanks to our team member @LiuLong
for the method to exploit such bugs
• Exploit method
– Change the type of the array (e.g. Int Array ->
Float Array)
– The lastUsedSegment will not get updated when
changing array type
– Then we access elment in lastUsedSegment, we
get type confusion

66. And It Con3nuous …
• CVE-2017-8753 fixed in September
• End of OOM exploit in edge ?
• Let’s check it out J
• Demo 3me, maybe

67. From Out-of-Memory to
ASLR Bypass

68. Exhaust Memory in
64-bits Edge Browser?
• Usually you are not able to do this
– The browser (and the whole system) will get slow
or freeze before you using up the memory
– Because you commi_ed too much memory
• Un3l we find an interes3ng feature in 64-bits
browser

69. The Fast Array Buffer
• In 64-bits edge, when you allocate an array
buffer whose size is larger than 0x10000 (64
KB), it will be a “fast array buffer”
– ab = new ArrayBuffer(0x10000); // create a virtual
array buffer
• Edge reserves 0x100000000 (4GB) bytes for
each fast array buffer

70. 4GB for each buffer?

71. What Does That Mean
• When we allocate a 64 KB fast array buffer,
the real commi_ed memory is 64 KB
• But edge will reserve 4GB virtual memory
space for it
• So we can occupy 4GB memory by just
commi•ng 64 KB memory

72. Commit 64 KB, reserve 4GB

73. User Mode Memory Space
in 64-bits Edge
• Windows 10 uses 48-bits for user mode
memory
• User heap address will be always less than
0x800000000000
• So we only need to spray less than 0x8000
array buffers to exhaust user mode memory
space

74. 5 Lines to Exhaust Memory
in 64-bits Edge
var arr = new Array(0x10000 / 2);
try {
for (i = 0; i < arr.length; i ++ )
arr[i] = new ArrayBuffer(0x10000);
} catch (e) { // out of memory excep3on}

75. At the End of Spray
rcx=0000000800000000
rcx=0000000700000000
rcx=0000000600000000
rcx=0000000500000000
rcx=0000000400000000
rcx=0000000300000000
rcx=0000000200000000
rcx=0000000100000000
To our surprise, when we finished spraying most of the
array buffers, it begins to allocate memory at very
predictable addresses

76. Get Fixed Content at Fixed Address
• Aaer we finished the spray, we know one of
the fast array buffers will be allocated at a
fixed address (e.g. 0x200000000)
• If we free that array buffer, and spray some
interes3ng objects (e.g. JavaScript array), we
know these objects will be allocated at that
fixed address, thus we bypassed ASLR

77. 0x10000000
0x20000000
0x30000000
…
Fast Array Buffer
Fast Array Buffer
Fast Array Buffer
Fast Array Buffer
Fast Array Buffer
0
spray objects

78. Demo

79. Effect
• We can put controlled content at controlled
address in 64-bits edge
• Makes exploita3on of certain bugs easier
– Write-to-any once
– Use aaer free
– Type confusion

80. Limita3on
• It takes too long to finish the spray
– ~300 seconds on my laptop
• Not suitable for real a_ack
• Nice op3on to be used in contests such as
Pwn2OwnJ

81. Beyond ASLR Bypass
• Aaer we exhausted the 64-bits memory space,
we can make controllable OOM just like in 32-
bits process
• OOM vulnerabili3es that are only exploitable
in 32-bits process can be exploited in 64-bits
now if combined with this issue

82. Conclusion
• Out-of-Memory excep3ons in browsers are
oaen ignored by developers/bug hunters
• It is s3ll possible to find exploitable if we focus
on controllable ones in modern browser
• We s3ll need to take OOM issues seriously

83. Thank you!